Mandiant: ‘advanced attackers’ exploiting trusted supplier-client VPN
- — 14 March, 2013 10:54
Advanced attackers are increasingly exploiting the privileged communication channels that targets give their suppliers to launch attacks, according to US security firm, Mandiant.
The firm behind the recent report on Chinese hacking groups such as the Comment Crew says attackers are often attacking a victim’s service provider “solely as a means to find a way into their real target -- the client.”
“During our investigations in 2012, we found an increase in the number of outsourced and managed service providers who were compromised and used as a primary access point for attackers to gain entry to their victims’ networks,” the Virginia-headquartered company says in a report released Wednesday canvassing investigations it conducted in 2012.
The attackers may lay dormant on a service provider’s network for months or years, sparingly using backdoors at the supplier in the event the attacker needed to regain access to the primary target.
However, a typical attack scenario it outlines is where an attacker compromises the supplier in order to exploit the site-to-site VPN tunnel between supplier and client. The attacker exploits the trust between the two, reflected by “limited access restrictions” in the VPN connection between the pair, and compromises the client from the supplier’s network.
Mandiant also notes that while reconnaissance on a victim’s network is not new, attackers are putting more energy into mapping a target’s network. It investigated multiple cases where the first documents that attackers stole were related to network infrastructure, processing methodologies and payment card industry (PCI) audit data, in addition to system administration guides.
The information helped attackers exploit system misconfigurations and allowed for swifter access to sought after data.
Attackers also frequently re-hack organisations that have been previously compromised. According to Mandiant, 38 percent of the clients it responded to in 2012 were attacked again after the first incident was remediated. The industry with the most repeated attacks in 2012 was Aerospace and Defence (31 percent), followed by Energy, Oil, and Gas (17 percent), Pharmaceuticals (15 percent), and Finance (11 percent).
The report also notes a rise in so-called watering hole attacks, where employees are targeted via an exploit placed on a website they frequently visit as part of their job. Computers of developers at Apple, Microsoft and Facebook were compromised using this technique via at least one site catering to iOS developers.
Mandiant’s investigations revealed the average number of days it took for organisations to detect the presence of attackers on the network was 243 days, down from 416 in 2011. Victims discovered the breach internally in 37 percent of Mandiant’s investigations and 63 percent were alerted to it by a third party. Most third party notifications were by law enforcement.